The short version: Oruvia collects only what's needed to give you personalized UV protection timing. We don't sell your data. We don't run ads. Your skin profile stays in your private Firebase account and is never shared with third parties for marketing. We do not collect email addresses in the app.
App — information you provide:
| Data | Where collected | Purpose |
|---|---|---|
| First name | Welcome screen | Personalized greetings and avatar initials in the app. Stored locally on device and in your Firebase account. Never used for marketing. |
| Sun protection goal prevent aging · avoid burns · manage melasma · build habit |
Onboarding step 1 | Tailors AI Coach recommendations to what matters most to you. |
| Skin tone sensitive Monk Scale MST01–MST10 |
Onboarding step 2 | Calibrates burn risk, SPF reapplication window, and product white cast filtering. |
| Skin conditions sensitive acne-prone · rosacea · melasma · fragrance sensitivity |
Onboarding step 3 | Filters product recommendations (e.g. non-comedogenic for acne, mineral-only for rosacea). |
| Allergies sensitive | Profile screen | Excludes products containing allergens or ingredients flagged as unsafe for you. |
| SPF preference & application quality SPF level · light / typical / thorough |
Onboarding step 4 | Calibrates your real protection window in the SPF timer engine. |
| Saved sunscreen products | Profile screen | Powers Coach recommendations and feeds SPF values back into the timer engine. |
| Notification preferences reapply reminders · UV spike alerts · weekly recap |
Permissions screen (onboarding step 5) | Controls which push notifications you receive. |
App — information collected automatically:
App — what we do not collect:
Website (getoruvia.com) — separate from the app:
We use the information we collect solely to operate and improve Oruvia:
We do not use your information to serve advertisements, build marketing profiles, or sell to third parties under any circumstances.
Exactly what gets sent to the AI: When you open the Coach screen, the following fields from your profile are included in a request to our Firebase Cloud Function, which calls the Anthropic Claude API: skin tone, skin conditions, allergies, sun protection goal, preferred SPF level, application quality, and saved products. Your first name, email, and precise location are not included.
All AI requests are proxied through our Cloud Function — your data is never sent directly from your device to Anthropic. The Cloud Function transmits only the fields listed above and includes no device identifiers or account credentials.
Anthropic does not retain your data beyond processing the response, in accordance with their API data usage policy. Your profile data is not used by Anthropic to train their models via the API. See anthropic.com/privacy for their full policy.
AI Coach requests are rate-limited globally to manage costs. If the Coach is unavailable, the screen will show an error — it will never display a fabricated or hardcoded recommendation.
You can opt out of AI coaching entirely by simply not using the Coach screen. All other features — the timer, Insights, and product filtering — work without it and without any data being sent to Anthropic.
Your skin profile and session data are stored in Firebase (Google Cloud, US-Central region — nam5). Firebase is SOC 2 Type II and ISO 27001 certified. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Anonymous authentication is used by default — no account creation is required to use Oruvia. If you sign in with Google or Apple, your Firebase account is linked to that identity and subject to the authentication provider's terms.
Your skin profile is also cached locally on your device via AsyncStorage for offline access. This cache is cleared when you uninstall the app or clear app data.
Sensitive fields — skin tone, skin conditions, and allergies — are stored with encryption and are never used in advertising or shared with third parties for marketing.
All API keys (WeatherAPI, Anthropic) are stored in Firebase Secret Manager only. They are never embedded in the app binary or transmitted to your device.
Oruvia uses the following third-party services, each subject to its own privacy policy:
We do not integrate with advertising networks, data brokers, or social media tracking pixels.
California residents (CCPA): You have the right to know what personal information we collect, to request deletion, and to opt out of the sale of your personal information. We do not sell personal information. For CCPA requests, contact info@getoruvia.com.
EEA/UK residents (GDPR): You may also have the right to restrict processing or lodge a complaint with your local supervisory authority. Our lawful basis for processing your data is your consent (given at onboarding) and legitimate interests (app functionality and security).
Oruvia is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete it promptly. If you believe a child has provided us with their information, please contact us at info@getoruvia.com.
Important: Oruvia is a consumer wellness tool, not a medical device. SPF reapplication timers, AI coaching recommendations, and UV exposure estimates are for informational purposes only and do not constitute medical advice. Always consult a qualified dermatologist or healthcare provider regarding your skin health and sun protection needs.
Skin tone, skin conditions, and allergy data you enter into Oruvia may constitute sensitive health-related information. We treat this data with the highest level of care: it is never used for advertising, never shared with third parties for marketing, and is stored with encryption as described in Section 4.
If Oruvia is involved in a merger, acquisition, asset sale, or similar transaction, your data may be transferred as part of that transaction. We will notify you via a push notification in the app (or by email if you are on the waitlist) before your data is transferred and becomes subject to a different privacy policy. You will have the opportunity to request deletion of your data before any transfer occurs.
In the event that Oruvia ceases operations, we will provide at least 30 days' notice and give you the opportunity to request deletion of your data before it is removed or transferred to any successor entity.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via push notification (if enabled) or email (if you are on the waitlist). The "Last updated" date at the top of this page will always reflect the most recent version. Continued use of Oruvia after an update constitutes acceptance of the revised policy.
For questions about this policy, data rights requests, or any privacy-related matter:
We aim to respond to all privacy-related inquiries within 5 business days.